Exploit on the 'net that brings down Sygate?

Hi everyone,

I posted about Sygate crashing in the PG forum a couple days ago, thinking it was somehow related to PG, or that PG could stop the crashes and failures.

But now I'm thinking that there is a exploit out there that will bring down Sygate. I am finding that SPF is crashing only when this bad inbound traffic is occuring. Many times it blocks incoming stuff, but fairly often my firewall will die without warning. These bad packets are hitting me on a variety of ports, but 5000 seems to be the most commonly used. 0, 80, and 113 are also used fairly often. The remote ports from which the connection attepts originate are high-numbered.

I have seen .dll requesters pop up, asking for permission, and within seconds of their appearance, they disappear again, and the Sygate program is no longer running. The icon for SPF remains in the lower right, but it goes away if I move the mouse pointer over it. Yesterday this happened twice in a row, in rapid succession. (The request was something about a remote initiated connection attempt to load .dll files relating to Windows help).

Here is some info from my event log. Most of this I don't really understand, but perhaps it has something to do with SPF crashing all the time. Maybe there isn't an exploit out there, but I have a misconfiguration on my machine.

In the System log, there is an entry from today saying the Service Control Manager is giving me an Error, and the Event ID is 7034. It says "The Sygate Personal FIrewall service terminated unexpectedly. It has done this 2 time(s)." I've tried looking around a bit, but I haven't found anything that explains what Event ID 7034 is, and WHY Sygate is crashing.

The Event Viewer for this System log entry says a file named netevent.dll is involved, version 5.1.2600.0

In my Security log, there are a few entries I also don't understand. These entries were created shortly after I logged on, before connecting to the net.

Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 5/19/2004
Time: 5:56:00 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: POOP1
Description:
IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 5/19/2004
Time: 5:56:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: POOP1
Description:
IPSec Services: IPSec Services failed to initialize RPC server with error code: The authentication service is unknown.
. IPSec Services could not be started.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 5/19/2004
Time: 5:56:01 PM
User: NT AUTHORITY\SYSTEM
Computer: POOP1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: (***myname***)
Source Workstation: POOP1
Error Code: 0xC000006A

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/19/2004
Time: 5:56:01 PM
User: NT AUTHORITY\SYSTEM
Computer: POOP1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: (***myname***)
Domain: POOP1
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: POOP1

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


(Why the heck is this appearing I didn't make a mistake when I typed in my password, I just typed it once and logged right in....)

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 5/19/2004
Time: 5:56:01 PM
User: NT AUTHORITY\SYSTEM
Computer: POOP1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: (***myname***)
Source Workstation: POOP1
Error Code: 0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And finally, we have my successful logon entry...

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 5/19/2004
Time: 5:56:11 PM
User: POOP1\(***myname***)
Computer: POOP1
Description:
Successful Logon:
User Name: (***myname***)
Domain: POOP1
Logon ID: (0x0,0xDB75)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: POOP1
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I don't have other computers or routers involved at home. I am connecting to the 'net through a dialup. I am also running TDS-3, PG, port explorer, AntiVir, and Opera 7.50 when I'm online.

 

Quick question here: Have you posted about this issue in the Sygate forums at http://forums.sygate.com/vb/forumdisplay.php?forumid=6 . I just looked rather quickly and didn't see anything that seemed to be this issue. And I would think that Sygate might like to know.

 

I just posted this on the Sygate forum for SPF free. I hope someone can tell me what's going on with my machine. Something is clearly not right, given the log entries I'm getting and SPF crashing all the time.

This is frustrating....

 

I suspect it may be worse than 'frustrating'.

I just wanted to encourage you to post over there, so they'd know. I'd seen a vague reference to something very similar in one of the NNTP newsgroups a few days ago, so after seeing your post here, I went over there and didn't immediately see anything.

Sometimes, it just takes one person to get the ball rolling and you may end up with a dozen others chiming in. I had an earlier version of SPF running on a machine here, but we just took it off last week, so I couldn't take a look at it myself.

Keep tracking this thread, also. Someone may show up eventually with some helpful ideas.

 

open syge personal firewall...click on TOOLS then click OPTIONS click on
SECURITY make sure you sceck the box that says BLOCK ALL TRAFFIC WHEN SERVICE IS NOT LOADED... this option prevents hackers and their trojans from gaining access to your system if sygate crashes.until sygate comes out with a newer version i still believe sygate personal firewall is the best software firewall solution on the market today period.

 

I always used to use Sygate Personal Firewall, but since going Broadband have been unable to do so. I am on Tiscali Broadband, using a Sagem ADSL Box, and I have tried all versions of Sygate, but all suddenly crash and switch off for no reason. I am now using Zone Alarm.

 

There probally is one for sygate, I wouldnt doubt it. I know there is alot for zone alarm, never looked into it or paid attention to it until one day I went to a website and the site totally killed zone alarm. And I do mean kill. I uninstalled deleted the folders and ran a regestry cleaner reinstalled it and still no go thats when I trashed zone alarm. Dont know if they fixed it or not, but they will make exploits for the more well known firewalls, sygate, zonealarm, kerio, norton etc... Just hope the firewall compainies are patching/fixing the problems.

 

I've not heard of any anti-virus utility doing this and while some firewalls do offer the ability to password-protect their configuration, this is to protect against it being modified by others rather than as a means of trojan defence (a utility like Process Guard would be needed for this). Such a feature is overdue though - and any such password window needs to use "OCR-proof" techniques to verify that it is a real human rather than a sophisticated trojan responding (again, Process Guard has a good implementation of this).

If Sygate is being terminated by suspect packets, one option could be to use a packet sniffer like Ethereal to capture those packets for further inspection. Ideally, if you had a second machine, you could use it to "replay" the capture frame-by-frame allowing you to identify the exact packet responsible - but Ethereal does not offer this facility (although TCPReplay could do this if you have a Linux system handy).

 

Most of the AV apps I know of use password protection. Sygate Pro also has an " ask for password before exitting option. I don't think the free version has this option though. Sounds like you have some type of trojan or something bradcasting your address. You said you are using a dial up connection, so your IP address should change each time you sign on and yet they are still finding you. Which programs do you allow server rights to?

 

I to am running Sygate Personal Firwall. And b4 the new came out at the first of this month, yes there Was a Major Exploit in the 5.5 version build2555. Sygate Was aware of this Issue as they did adress it on their website http://www.sygate.com/alerts/SSR20040616-0001.htm as well as in their newsletters . BTW if you sign up for their free news letters they do send you the updates right to your inbox.
I was getting a lot of hits by some hacker that went by the name RIPE And his IP addy Stated , "that the whole world is my Email Address So get over it .
I found this out by doing a backtrace to see where the source of the hits were coming from . And I dropped a Line to the techs. And I guess Sygate was on the job like they Always are , 3 or 4 days later I get their News letter from them , Stating that there were vounerablities in their 2555 build and a link to the site with the New 5577 build. I uninstalled the Old one, and reinstalled the new one and Since then , the Only hits I have been getting are either from my ISP server (I'm on dial up here ) or From Sygate themselves when I do my security checks there at their site.
But when you start getting a Lot of critical hits like that or it is not letting you acessess somewhere Check down in your task bar next to your clock and see if the icon is flashing Red if so click on it and then right click on the IP addy you see there then left click on backtrack then highlight one of the Ip Addy's in the back trace log and then click the Who is button and that will tell you Exactally Who is Scanning you system and where it is coming from . And if it looks bad enuff , Just ask Sygate, how you make a copy of the Log, after telling them about it. To turn over to the F.B.I or your I.S.P server , for further investigation.
But I love my sygate, as they are the BEST FREE Firewall out there , and to this date that that I know of Havent never been hacked thru yet !!. But that is just my 2 cents is all.

Oh as as far, as knocking them off the Net , no it did NOT do that ,as they are always one step ahead of the Game.
And for all of you wireless users, Yes they do have New updates and stuff for yall to.

I hoped I helped
Denim

 

Forget the FBI - they will only consider cases where more than $5,000 worth of damage has been done. The originating ISP may be a better bet - but you need to have full details of the traffic involved with accurate times (i.e. make sure your PCs clock has been synchronised with a timeserver). Even then, odds are that there will be no response.

For most people, a better solution is to submit firewall logs to groups like DShield.org or MyNetWatchman.

 

Sygate free has password protection for accessing the control panel and there is also the option to ask the password when exiting.What the free version doesn't have is the "Block internet traffic when the firewall isn't loaded" feature.